Virtual private network manager GUI with links for use in configuring a virtual private network
A system and method for managing a virtual private network. The system and method include a graphical user interface. The graphical user interface is configured to display at least one link for accessing, via the interne, a web-page associated with a switch offering virtual private network functions.
Latest Nortel Networks Corporation Patents:
This application is a continuation of prior application U.S. Ser. No. 09/285,558 filed on Apr. 2, 1999 now abandoned which is incorporated herein by reference.
BACKGROUNDThis invention relates particularly to providing links for configuring a virtual private network.
LANs (Local Area Networks), Intranets, and other private networks interconnect user computers, file servers, e-mail servers, databases, and other resources. Typically, organizations want to offer remote access to private network resources to traveling employees, employees working at home, and branch offices without compromising the security of the private network.
Virtual private networks (a.k.a. Extranets) securely stitch together remote private networks and remote computers using a public network such as the Internet as a communication medium. Each private network can connect to the public network via an extranet switch such as the Contivity™ Extranet switch offered by Nortel™ Networks. Extranet switches provide a variety of virtual private network functions such as network packet tunneling and authentication.
For configuring the functions provided by the switch, Contivity™ switches offer a web-server and web-pages programmed to configure the different virtual private network functions in response to administrator interaction with the web-pages. By using a browser to navigate to each virtual private network switch, one after another, the administrator can configure the tunneling, authentication, packet filtering, and other functions provided by the switch. Management functions provided by the Contivity™ switches are described in greater detail in the New Oak™ Communications Extranet Access Switch Administrator's Guide.
SUMMARY OF THE INVENTIONIn general, in one aspect, a method of managing a virtual private network includes providing a graphical user interface configured to display at least one link for each of a plurality of computers offering virtual private network functions.
Embodiments may include one or more of the following features. The computers may be extranet switches. The links may be HTTP (HyperText Transfer Protocol) links. The links may link to information describing users of the virtual private network functions provided by the computers, packet filters provided by the computers, and/or computer access hours. The method may further include transmitting an HTTP request in response to selection of a link.
The method may further include providing a list of the computers offering virtual private network functions in the same display as a link. The link displayed may correspond to a computer selected from the list of computers offering virtual private network functions.
In general, in another aspect, a method of managing a virtual private network includes providing a graphical user interface display that includes a list of extranet switches offering virtual private network functions, and a collection of HTTP links for an extranet switch selected from the list, the links causing transmission of an HTTP request.
In general, in another aspect, the invention features a computer program product, disposed on a computer readable medium, for managing a virtual private network. The program includes instructions for causing a processor to provide a graphical user interface configured to display at least one link for each of a plurality of computers offering virtual private network functions.
In general, in another aspect, the invention features a computer program product, disposed on a computer readable medium, for managing a virtual private network. The program includes instructions for causing a processor to provide a graphical user interface display that includes a list of extranet switches offering virtual private network functions, and a collection of HTTP links for an extranet switch selected from the list, the links causing transmission of an HTTP request.
Advantages may include one or more of the following.
By providing links corresponding to different computers providing virtual private network functions, an administrator can quickly access a desired page on any particular computer. The administrator can also quickly access the same page (e.g., the users page) on a variety of different switches, one after another. Additionally, the links obviate the need to remember the different URLs of the different computers offering virtual private network functions.
Other advantages of the invention will become apparent in view of the following description, including the figures, and the claims.
Introduction
An extranet switch manager provides administrators with a tool that centralizes management of different extranet switches in a virtual private network. The manager can bulk configure multiple extranet switches, prepare reports describing the extranet switches, provide convenient access to individual switch configuration mechanisms, and provide an intuitive representation of virtual private network elements. The manager offers these capabilities to an administrator via an easy to use graphical user interface (GUI). After an administrator enters IP (Internet Protocol) addresses of extranet switches in a virtual private network, the switch manager can quickly import and export data to both view the current configuration and activity of the switches and quickly alter the configuration of one or more switches.
Bulk Configuration of Multiple Extranet Switches
As shown in
Each switch 100a, 100b can provide different tunneling protocols (e.g., PPTP (Point-to-Point Tunneling Protocol), L2F (Layer 2 Forwarding), L2TP (Layer 2 Tunnel Protocol), and IPSec (IP Secure)), different encryption schemes, different authentication mechanisms (e.g., internal or external LDAP (Lightweight Directory Access Protocol) and RADIUS (Remote Authentication Dial-In User Service)), and different packet filtering schemes (e.g., filtering based on the direction of communication, the source and/or destination of a packet, and/or the type of TCP (Transfer Control Protocol) connection established). As shown in
Referring to
When the extranet switch 100b at the end of the tunnel 120 receives a packet, the extranet switch 100b can decrypt and de-encapsulate the packet for delivery to its destination 108. The second extranet switch 100b can also authenticate information received from the first extranet switch 100b to make sure a would-be intruder is not masquerading as a member of the virtual private network 102.
As shown, a switch 100a can also provide tunnels for a remote user 114 connected to the public network 104. For example, an employee can access private network 110 resources by connecting to an ISP (Internet Service Provider) and establishing a tunnel 122 with an extranet switch 100a. Again, the extranet switch 100a can authenticate the identity of the remote user 114 to prevent unauthorized access to the private network 110.
The extranet switch 100a can also connect tunnels. For example, if so configured, the switch could connect 124 tunnels 120 and 122 to enable the remote user 114 to also access resources on private network 106 via tunnels 122 and 120.
Referring to
Referring to
In one implementation, switch manager instructions 116 include instructions for a graphical user interface 144 (GUI), a script interface 140, and configuration 142 instructions that model the extranet switches and coordinate the exchange of information between the GUI 144 and the script interface 140. When a user specifies bulk configuration information via the GUI 146, the script interface 142 produces a script 118a, 118b that includes script commands for configuring the switches in accordance with the user specified information. Appendix A includes a sample configuring script. In the implementation described above, the switch manager 116 can export the configuration information 118a, 118b to extranet switches by transmitting the information 118a, 118b to a pre-determined switch directory via FTP (File Transfer Protocol). The script interface 138a, 138b on the switches 100a, 100b detect and process the script upon its arrival.
The exporting technique described above is merely illustrative and a wide variety of other techniques could be used to coordinate communication between a computer executing switch manager instructions 116 and the different extranet switches 100a, 100b. For example, the communication need not use FTP nor need the information take the form of a script.
Referring to
Referring to
Referring to
Referring to
Referring to
The administrator can also enable or disable different communication protocols such as HTTP (HyperText Transfer Protocol), SNMP (Simple Network Management Protocol), FTP (File Transfer Protocol), and TELNET. Additionally, the manager gives the administrator the ability to control the types of communication allowed. For example, an administrator can enable or disable tunnels between two extranet switches (e.g., branch to branch communication), between two users tunneling to the same switch (e.g., end user to end user), and between a user and a branch office tunneling to the same switch.
Referring to
Referring to
Referring to
The administrator can also define a primary RADIUS server and one or more alternate servers. The primary server receives all RADIUS authentication inquiries unless it is out of service. In the event that the Primary Server is unreachable, the Switch will query the alternate RADIUS servers. By bulk configuring the servers used to provide RADIUS authentication, administrators can quickly route all RADIUS authentication requests to the same collection of RADIUS servers.
Referring to
After completing the bulk configuration wizard, the manager stores the specified configuration information, but does not transmit the information until the administrator specifically exports the configuration data. This provides administrators with a safeguard against accidentally bulk configuring the switches with unintended characteristics.
Reporting Capabilities
Referring to
Referring to
The switch 100a, 100b script interface 138a, 138b processes the script commands 128 and produces a file 150a, 150b including the requested information. The script interface 138a, 138b on the switch 100a, 100b can store the file in a pre-determined directory. The switch manager instructions 116 can then use FTP to retrieve the information 150a, 150b.
Again, a wide variety of other techniques could enable the switches 100a, 100b to communicate with the switch manager instructions 116. Additionally, instead of the request/response model described above, the switches 100a, 100b could schedule periodic execution of a script and/or periodic transmission of the switch information 150a, 150b.
Referring to
Referring to
Referring to
Referring to
Referring to
Custom Views
Referring to
As shown, the display also provides a tabbed dialog control 210 that provides more information and management options for a virtual private network element currently selected in the navigation pane 200 (e.g., “Configuration Data” 212). The control 210 includes dialogs for adding new elements to the tree from a palette 214 of elements, for viewing and altering-properties 216 of a selected element, for a list of wizards 218 that perform tasks frequently used with a selected element, and a list of network links 222 that enable an administrator to manually configure an individual extranet switch. By providing management options corresponding to an element selected in the navigation pane 200, the GUI presents only a relevant subset of a wide variety of different management features at a given moment.
Referring to
As shown in
As shown in
As shown in
The different presentations of the data (e.g., subscriber based and switch based) described above enable the administrator to both ensure that subscribers are adequately served and that individual switches are configured as desired.
Referring to
The alterations to the switches, for example, adding RADIUS authentication to a switch, while immediately represented to the administrator, is not exported until explicitly requested by the administrator. Again, this gives the administrator a chance to avoid unintended modifications.
Referring to
Integrated Access to a Switch's Configuration Mechanisms
As previously described, an extranet switch such as the Contivity™ switch can include a web-server and different network pages (e.g., HTML (HyperText Markup-Language) documents) that enable an administrator to individually configure an extranet switch. By navigating to a switch web-server, an administrator can view and/or modify a switch's configuration.
Referring to
By providing the link menu in conjunction with the navigation pane 200, administrators can quickly access a desired page on any particular switch and can also quickly access the same page (e.g., the users page) on a variety of different switches, one after another. Additionally, the menu 260 obviates the need to remember the different extranet switch URLs or expend the time needed to navigate through any menu provided by the switch itself which necessitates potentially long waits for information to be transmitted to the switch manager.
As shown, the web-pages include pages that control how a switch handles users (
The embodiments described above should not be considered limiting. For example, one of skill in the art could quickly construct a switch manager that perform the functions described above using different GUI controls or a different arrangement of GUI controls.
Additionally, the techniques described here are not limited to any particular hardware or software configuration; they may find applicability in any computing or processing environment. The techniques may be implemented in hardware or software, or a combination of the two. Preferably, the techniques are implemented in computer programs executing on programmable computers that each include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and one or more output devices. Program code is applied to data entered using the input device to perform the functions described and to generate output information. The output information is applied to one or more output devices.
Each program is preferably implemented in a high level procedural or object oriented programming language to communicate with a computer system however, the programs can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language.
Each such computer program is preferable stored on a storage medium or device (e.g., CD-ROM, hard disk or magnetic diskette) that is readable by a general or special purpose programmable computer for configuring and operating the computer when the storage medium or device is read by the computer to perform the procedures described in this document. The system may also be considered to be implemented as a computer-readable storage medium, configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner.
Other embodiments are within the scope of the following claims.
Claims
1. A method of managing a virtual private network over an internet, the method comprising:
- providing by a computer a graphical user interface configured to display a list of VPN switches, for each of the VPN switches, a menu of links, each link for accessing, via the internet, a web-page generated by a web-server associated with the VPN switch, wherein each of VPN switches offering virtual private network functions, wherein the list of VPN switches is displayed according to a hierarchical tree, each respective VPN switch comprising a node displayed on the hierarchical tree;
- displaying by the computer a first selectable functionality in conjunction with the hierarchical tree, the first selectable functionality for instantiating a new physical VPN switch by adding a new node to the hierarchical tree;
- displaying by the computer a second selectable functionality in conjunction with the hierarchical tree, the second selectable functionality for defining a network tunnel within the virtual private network, wherein defining the network tunnel includes receiving a selection of a first VPN switch as a tunnel start point and a second VPN switch as a tunnel end point, the second selectable functionality allowing for at least one network subscriber access to the tunnel; and
- displaying a third selectable functionality in conjunction with the hierarchical tree, the third selectable functionality allowing for providing a view of at least one tunneling technology offered by the VPN switch;
- transmitting an HTTP (Hyper Text Transfer Protocol) request when a link is selected by a user; and accessing a web-page associated with the selected link in response to the HTTP request, the web-page comprising configuration information related to the switch; modifying the configuration information of the switch via the accessed web-page.
2. The method of claim 1, wherein each of the links comprises an HTTP (HyperText Transfer Protocol) link.
3. The method of claim 1, wherein at least one of the links comprises a link to a web-page comprising information describing users of the virtual private network functions provided by the switch.
4. The method of claim 1, wherein at least one of the links comprises a link to a web-page comprising information describing packet filters provided by the switch.
5. The method of claim 1, wherein at least one of the links comprises a link to a web-page comprising information describing access hours of the switch.
6. The method of claim 1, wherein each of the links correspond to a uniform resource locator (URL), and the graphical user interface prepares each URL by sending an IP address of the switch to a predefined web-page location.
7. A method of managing a virtual private network, the method comprising:
- providing by a computer a graphical user interface display that includes:
- a list of extranet switches offering virtual private network functions (VPN switches) and
- a menu of HTTP links for each VPN switch selected from the list of VPN switches, each HTTP link, when selected, causing transmission of an HTTP request to access a web-page generated by a web-server associated with the VPN switch, wherein the list of VPN switches is displayed according to a hierarchical tree, each respective VPN switch comprising a node displayed on the hierarchical tree;
- displaying by the computer a first selectable functionality in conjunction with the hierarchical tree, the first selectable functionality for instantiating a new physical VPN switch by adding a new node to the hierarchical tree;
- displaying by the computer a second selectable functionality in conjunction with the hierarchical tree, the second selectable functionality for defining a network tunnel within the virtual private network, wherein defining the network tunnel includes receiving a selection of a first VPN switch as a tunnel start point and a second VPN switch as a tunnel end point, the second selectable functionality allowing for at least one network subscriber access to the tunnel; and
- displaying a third selectable functionality in conjunction with the hierarchical tree, the third selectable functionality allowing for providing a view of at least one tunneling technology offered by the VPN switches;
- transmitting an HTTP (Hyper Text Transfer Protocol) request when a link is selected by a user; and accessing a web-page associated with the selected link in response to the HTTP request, the web-page comprising configuration information related to the VPN switch;
- modifying the configuration information of the VPN switch via the accessed web-page.
8. A system for managing a virtual private network, the system comprising:
- a processor; and
- a non-transitory computer readable medium electronically coupled to the processor; a plurality of instructions wherein said plurality of instructions are stored in the non-transitory computer readable medium, and wherein the plurality of instructions are configured to cause the processor to perform the step of:
- providing a graphical user interface configured to display a list of VPN switches, and for one of the VPN switches, a menu of links, each link for accessing, via the internet a web-page generated by a web-server associated with a the VPN switch, wherein each of the VPN switches offering virtual private network functions, wherein the list of VPN switches is displayed according to a hierarchical tree, each respective VPN switch comprising a node displayed on the hierarchical tree;
- displaying a first selectable functionality in conjunction with the hierarchical tree, the first selectable functionality for instantiating a new physical VPN switch by adding a new node to the hierarchical tree;
- displaying a second selectable functionality in conjunction with the hierarchical tree, the second selectable functionality for defining a network tunnel within the virtual private network, wherein defining the network tunnel includes receiving a selection of a first VPN switch as a tunnel start point and a second VPN switch as a tunnel end point, the second selectable functionality allowing for at least one network subscriber access to the tunnel; and
- displaying a third selectable functionality in conjunction with the hierarchical tree, the third selectable functionality allowing for providing a view of at least one tunneling technology offered by the VPN switch;
- transmitting an HTTP (Hyper Text Transfer Protocol) request when a link is selected by a user; and accessing a web-page associated with the selected link in response to the HTTP request, the web-page comprising configuration information related to the switch; modifying the configuration information of the switch via the accessed web-page.
9. The system of claim 8, wherein each link comprises an HTTP (HyperText Transfer Protocol) link.
10. The system of claim 8, wherein at least one of the links comprises a link to a web-page comprising information describing users of the virtual private network functions provided by the switch.
11. The system of claim 8, wherein at least one of the links comprises a link to a web-page comprising information describing packet filters provided by the switch.
12. The system of claim 8, wherein at least one of the links comprises a link to a web-page comprising information describing access hours of the switch.
13. The method of claim 8, wherein each of the links correspond to a uniform resource locator (URL), and the graphical user interface prepares each URL by sending an IP address of the switch to a predefined web-page location.
14. A system for managing a virtual private network, the system comprising:
- a processor; and
- a non-transitory computer readable medium electronically coupled to the processor;
- a plurality of instructions wherein said plurality of instructions are stored in the non-transitory computer readable medium, and wherein the plurality of instructions are configured to cause the processor to provide a graphical user interface display that includes:
- a list of extranet switches offering virtual private network functions (VPN switches); and a menu of HTTP links for each of VPN switch selected from the list of VPN switches each HTTP link, when selected, causing transmission of an HTTP request to access a web-page generated by a web-server associated with the VPN switch, wherein the list of VPN switches is displayed according to a hierarchical tree, each respective VPN switch comprising a node displayed on the hierarchical tree;
- displaying a first selectable functionality in conjunction with the hierarchical tree, the first selectable functionality for instantiating a new physical VPN switch by adding a new node to the hierarchical tree;
- displaying a second selectable functionality in conjunction with the hierarchical tree, the second selectable functionality for defining a network tunnel within the virtual private network, wherein defining the network tunnel includes receiving a selection of a first VPN switch as a tunnel start point and a second VPN switch as a tunnel end point, the second selectable functionality allowing for at least one network subscriber access to the tunnel; and
- displaying a third selectable functionality in conjunction with the hierarchical tree, the third selectable functionality allowing for providing a view of at least one tunneling technology offered by the VPN switches;
- transmitting an HTTP (Hyper Text Transfer Protocol) request when a link is selected by a user; and accessing a web-page associated with the selected link in response to the HTTP request, the web-page comprising configuration information related to the switch; modifying the configuration information of the switch via the accessed web-page.
5692030 | November 25, 1997 | Teglovic et al. |
5751967 | May 12, 1998 | Raab et al. |
5802286 | September 1, 1998 | Dere et al. |
5825891 | October 20, 1998 | Levesque et al. |
5862339 | January 19, 1999 | Bonnaure et al. |
5864604 | January 26, 1999 | Moen et al. |
5864666 | January 26, 1999 | Shrader |
5926463 | July 20, 1999 | Ahearn et al. |
5963913 | October 5, 1999 | Henneuse et al. |
5966128 | October 12, 1999 | Savage et al. |
5978848 | November 2, 1999 | Maddalozzo, Jr. et al. |
5987135 | November 16, 1999 | Johnson et al. |
5987513 | November 16, 1999 | Prithviraj et al. |
6041166 | March 21, 2000 | Hart et al. |
6041347 | March 21, 2000 | Harsham et al. |
6046742 | April 4, 2000 | Chari |
6061334 | May 9, 2000 | Berlovitch et al. |
6075776 | June 13, 2000 | Tanimoto et al. |
6079020 | June 20, 2000 | Liu |
6085238 | July 4, 2000 | Yuasa et al. |
6085243 | July 4, 2000 | Fletcher et al. |
6092113 | July 18, 2000 | Maeshima et al. |
6092200 | July 18, 2000 | Muniyappa et al. |
6101539 | August 8, 2000 | Kennelly et al. |
6111945 | August 29, 2000 | Goel et al. |
6115736 | September 5, 2000 | Devarakonda et al. |
6148337 | November 14, 2000 | Estberg et al. |
6188691 | February 13, 2001 | Barkai et al. |
6205488 | March 20, 2001 | Casey et al. |
6209031 | March 27, 2001 | Casey et al. |
6219699 | April 17, 2001 | McCloghri et al. |
6223218 | April 24, 2001 | Ilijima et al. |
6226751 | May 1, 2001 | Arrow et al. |
6233618 | May 15, 2001 | Shannon |
6236644 | May 22, 2001 | Shuman et al. |
6243815 | June 5, 2001 | Antur et al. |
6256739 | July 3, 2001 | Skopp et al. |
6259448 | July 10, 2001 | McNally et al. |
6272537 | August 7, 2001 | Kekic et al. |
6282175 | August 28, 2001 | Steele et al. |
6286050 | September 4, 2001 | Pullen et al. |
6289370 | September 11, 2001 | Panarello et al. |
6304909 | October 16, 2001 | Mullaly et al. |
6308205 | October 23, 2001 | Carcerano et al. |
6308206 | October 23, 2001 | Singh |
6330562 | December 11, 2001 | Boden et al. |
6366912 | April 2, 2002 | Wallent et al. |
6369840 | April 9, 2002 | Barnett et al. |
6374293 | April 16, 2002 | Dev et al. |
6374296 | April 16, 2002 | Lim et al. |
6408336 | June 18, 2002 | Schneider et al. |
6442615 | August 27, 2002 | Nordenstam et al. |
6493749 | December 10, 2002 | Paxhia et al. |
6526442 | February 25, 2003 | Stupek, Jr. et al. |
6714217 | March 30, 2004 | Huang et al. |
6772207 | August 3, 2004 | Dorn et al. |
0838930 | April 1998 | EP |
WO 97/50210 | December 1997 | WO |
- Configuring and Maintaining Networks with Optivity NET Configurator 2.0 Manual, Bay Networks, Oct. 1998.
- Rooney, et al.: “The Tempest: A Framework for Safe, Resource-Assured, Programmable Networks”, IEEE Communications Magazine, Oct. 1998, pp. 42-53.
- Kositpaiboon, Rungroj, et al.: “Customer Network Management for B-ISDN/ATM Services”, Communications, 1993, ICC 1993 Geneva, Technical Program, Conference Record, IEEE International Conference.
Type: Grant
Filed: Nov 12, 2003
Date of Patent: Nov 9, 2010
Patent Publication Number: 20050022183
Assignee: Nortel Networks Corporation (Montreal, Quebec)
Inventors: Matthew W. Poisson (Manchester, NH), Melissa L. Desroches (Kingston, NH), James M. Milillo (Manchester, NH)
Primary Examiner: Duyen M Doan
Attorney: Chapin IP Law, LLC
Application Number: 10/706,601
International Classification: G06F 15/16 (20060101);